Sunday, 28 February 2010

The BigBrotherWatch team hosted a bash at their new offices in Westminster last week, during which a number of speakers raised their concerns at the ease in which so many state officials could access the most holy of holies, the most private of private spaces – yes, the Englishman’s very own home. There are, apparently, well over 1,000 separate rights of entry that public officials can exercise should they need to access someone’s home. Most of these rights were conferred without any reference to previous rights, so there is a great deal of confusion (in the minds of some lawyers, at least) as to when some powers can be exercised, and when others can’t.

The irony of the situation is that it requires, believe it or not, policemen to adopt higher standards of transparency, supervision and accountability than council officials, when it is judged necessary to enter someone’s home. The police, for example, can’t enter someone’s home merely to measure the height of their garden hedge. But other public officials can.

"So what must be done?" murmured the crowd at the BigBrotherWatch bash. “Easy," Lord Selsdon said. “We must restrain the powers of the state.” And he explained that, to that end, on 15 January he had guided his Powers of Entry Etc Bill through its Second Reading in the House of Lords. The purpose of the legislation aim is relatively simple – to address an issue which he eloquently described (at column 720):

“Somehow, we need to simplify everything - and it is a simple matter. All powers of entry should be registered and understood, and anyone who exercises them should enter only at a certain time of day and not at weekends and not in the middle of the night, and should not knock the door down, should be courteous and friendly and have a sign that says who he is-and in big letters, because some people will not have their glasses on when they go to the front door and will be frightened about who they are letting in.”

During the 90 minute debate, Lord Brett, for the Government, set out the scale of the issue. He announced that there are, currently, “1,230 powers contained in 311 statutes and 297 statutory instruments. Since 1997 Parliament has passed 79 Acts and 220 statutory instruments contain references to powers of entry.”

However, he didn’t think that all of Lord Selsdon’s proposals were acceptable. “We believe that the present position should remain and that each power of entry ... should be seen in the context of the offence or regulatory breach that it is intended to deal with. Adopting a uniform approach across all agencies would impact on their operational effectiveness and may prevent or reduce achieving the intended aim of the power. Setting down the operational processes in a single statute or laying out a common set of safeguards and protections would mean an inflexible approach. That does not make for good legislation because it would not recognise the wide range of offences or breaches that require a power of entry to ensure effective enforcement of the law."

He went on (and on). “There are problems and difficulties that need to be addressed and the community of interest is how we are seeking to do that. We are proposing that when any new or amending powers of entry are put before Parliament, the sponsoring department must comply with a code of practice that sets out consideration of what I believe meet many of the points raised. First, there is the justification for the powers, proportionality and impact of their use .... Secondly, there are the rights and safeguards of the owner or occupier of premises. Thirdly, there is consideration of the alternatives of using entry powers. Fourthly, there are the important issues of guidance, training and the competency of those to whom powers would be granted. That is the best way of tackling the misuse of powers of entry. Fifthly, there is the issue of grievance, when people think that they have been mistreated. Whether it is a question of rudeness, lack of information or people overstepping the mark, the answer is to have a complaints procedure. Sixthly, there are the reporting and scrutiny mechanisms of the powers, and seventhly, communications and public access to the data.

Those seven conditions in the code of practice would require that the information is submitted in template format to Parliament when draft legislation is put before it. The template would be published alongside the Bill or draft statutory instrument. The code of practice would also require draft guidance-a draft copy of the notice of powers and rights and details of training requirements to be published at the same time.

We would maintain the central record of entry powers that is currently on the Home Office website. Any new or repealed powers would be added to or deleted from that list. We will shortly be launching a public consultation on how to raise awareness of existing powers and how the public can access their rights and what their expectations should be.”

So that’s it. We are to have a public consultation on how access to one’s home is to be regulated. And we can rely on the Home Office to sort it out. Perhaps we’ll have an equivalent of the mighty Regulation of Investigatory Powers Act, which attempts a form of regulation on the state’s powers to enter one’s digital home, so to speak. Lord Brett might even juice up the powers of the Surveillance Commissioner and let him deal with it. Perhaps he has forgotten there already exists a Surveillance Commissioner. And a Surveillance Commission. You don’t read about either of them too often.

As one of the contributors to the BigBrother Watch debate earlier in the week pointed out, it's another example of the transfer of what was “private space” to a “state space”, one increasingly controlled by representatives of “an authority”. Is this really what we want? To be faced with a knock on the door at any time of day, even at weekends, from someone who was not courteous and friendly and who carried no sign that says who he is-and in big letters, because some people will not have their glasses on when they go to the front door and will be frightened about who they are letting in?

In times of war or extreme threat, perhaps. But when it’s simply considered desirable to measure the height of an oik's hedge? I'm not so sure.

Saturday, 20 February 2010

In a recent moment of madness, my mind wandered and I started to think what my reaction would be if I were the Data Protection Manager of the Al Bustan Rotana hotel in Dubai and I were to receive a subject access request from one of the individuals whose images are pictured in this blog.

This hotel was the scene of the recent assassination of the Hamas leader Mahmoud al-Mabhouh by persons currently unknown. It seems clear that they used the identities of the people whose images are pictured, and it is equally clear that the hit squad stole these identities from innocent victims.

What should my response be if they were to ask for a report on the personal data the hotel held about them? Would I feel obliged to send them copies of the hotel registration forms, the CCTV footage of them walking around the hotel, the restaurant chits they may have signed after their meals, or would I just send them copies of their passports?

In the end I decided that all they were actually entitled to by UK law was a copy of their passport, but that I would exercise my own discretion let them see the rest of the stuff simply to assure them that I was totally confident it didn’t relate to them, but the people it did relate to probably had no legitimate expectation of privacy anyway. If you pretend to be someone else, then you only have yourself to blame if I let the innocent victim person know how you had managed to impersonate them.

My point is, of course, that just because an individual was originally linked with certain types of information, this does not automatically make all of that information their personal data, and thus available to them should they make a Subject Access Request.

As to what is personal data, well that’s a moot point, and an issue that has been debated with varying degrees of passion over the years. If economists can’t agree on the best way of removing this country from the economic mess it has got itself into, then why should data protection professionals feel inclined to follow identical interpretations.

Life got really interesting in the UK in December 2003, when the Court of Appeal delivered a judgment defining access rights to personal data in terms that were not welcomed with open arms by the guys in Wilmslow, nor by the most hardened privacy activists elsewhere. The atmosphere around the tea trolly at the Commissionser's office must have been positively funereal as Lord Justice Auld delivered a judgment in what has become known as the Durant case. The atmosphere would have been just as gloomy along the corridors of the European Commission.

To cut an extremely long story short, the case was brought by Michael Durant, a former customer of Barclays Bank. Following an unsuccessful dispute with his bank he asked the Financial Services Authority to investigate the bank's conduct. The FSA did so, but did not tell Mr Durant the result, citing reasons of confidentiality. Mr Durant then complained to the FSA Complaints Commissioner, and when that failed, he tried to exercise what he thought were his legal rights to access the FSA’s records containing his personal data.

Mr Durant asked the FSA to disclose manual and electronic documents containing his personal data, in a search for information with which to reopen the original case against Barclays. But, according to Lord Justice Auld: "Mr Durant's letter of complaint to the FSA and the FSA's investigation of that complaint did not relate to Mr Durant but to his complaint".

It was held that the FSA's investigation into Mr Durant's complaint could not be personal data concerning Mr Durant because, "the 1998 Act would only be engaged if, in the course of investigating this complaint, the FSA expressed an opinion about Mr Durant personally, as opposed to an opinion about his complaint."

Lord Justice Auld effectively looked behind the wording of the Act. He looked at the purpose of the wording, which was effectively to protect privacy. It was not, he reasoned, to provide a general right of access to information. He said of the access right: "It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties."

He continued:"It follows from what I have said that not all information retrieved from a computer search against an individual’s name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree."

This is a really important decision, as it differs from the view that the more privacy friendly advocates generally take, which is that anything which relates in any way to a living individual can be held to be their personal data, so they have a right to access it.

It’s also important as we move into a world increasingly dominated by digital transactions and the internet. We are fast creating an internet of things. Occasionally these things are linked to an individual, possibly because they are to be held accountable should these things get lost or broken. But does this make those things information that an individual is entitled by law to access through the exercise of their subject access rights? I think not. Responsible organisations may always allow these people to see information about the things that they are linked with, but I don’t see why a general discretion to access this information should be confused with a formal entitlement to access it. Especially when an applicant is only entitled to be charged £10 to access information that could have cost a great deal more to compile.

The full Durant judgment can be found at http://www.bailii.org/ew/cases/EWCA/Civ/2003/1746.html

Friday, 19 February 2010

I can sleep well in my bed tonight in the complete assurance that if various public authorities suspect that I might be at risk from someone else’s ulterior motives, they may be exercising their statutory powers to put them under some type of surveillance.

I’m not referring here to techniques which require someone to plant a bug in someone’s home or their car. That sort of stuff is called “intrusive surveillance”, which I’m sure is very carefully controlled. No, I’m talking about a much more mundane sort of surveillance – say following someone in the street, or over hearing their conversations in the pub (or as they are exercising their dogs on the beach). This sort of stuff is called “directed surveillance”. And I'm confident that it's just as well controlled.

And is it just the police who need these powers? Actually no, as a lot of investigators from other public authorities also need to exercise them as they try their hardest to keep the bad guys at bay. The policeoracle.com website has recently (and very helpfully) reminded its readers just who these authorities are. I thought you might be interested. It’s all perfectly lawful – and it’s all perfectly necessary.

So if, as in the final of that old and much loved BBC TV programme The Generation Game, you were asked the following question, which was about memorising a list of authorities who might just be looking out for you, how many from the following list would stick in your brain as you walked around the set to recount them to the compere?

Right now, pay attention. Nice to see you surveilled, to see you surveilled, nice. Investigators from the following authorities are all able, when necessary (and proportionate), to help keep the bad guys at bay. Just how many authorities can you remember from this list? Take a nice deep breath, and concentrate:

• The 43 police forces of England and Wales, the Scottish police forces, the Police Service of Northern Ireland, British Transport Police, the MOD police, and the military police forces• The Civil Nuclear Constabulary• The Force comprising the special constables appointed under s 79 of the Harbours, Docks and Piers Clauses Act 1847 on the nomination of the Dover Harbour Board• The Force comprising the constables appointed under art 3 of the Mersey Docks and Harbour (Police) Order 1975 (SI 1975/1224)• The Serious Organised Crime Agency (SOCA)• The Scottish Crime and Drug Enforcement Agency• The Serious Fraud Office• The Office of the Police Ombudsman of Northern Ireland• MI5, MI6, and GCHQ• The Army, Royal Navy, Royal Marines, Royal Air Force• The Commissioners for Revenue and Customs• Any local, county, or district council in England, a London borough council, the Common Council of the City of London in its capacity as a local authority, the Council of the Isles of Scilly, and any county council or county borough council in Wales• Any fire authority within the meaning of the Fire Services Act 1947 (read with para 2 of Schedule 11 to the Local Government Act 1985)• The Department of Communities and Local Government• The Ministry of Defence• The Department for Environment, Food and Rural Affairs • The Department of Health• The Home Office • The Ministry of Justice• The Northern Ireland Office• The Department for Business, Enterprise and Regulatory Reform • The Department for Transport• Department for Work and Pensions • The National Assembly for Wales• A universal service provider (within the meaning of the Postal Services Act 2000) acting in connection with the provision of a universal postal service (within the meaning of that Act)• The Postal Services Commission• The Charity Commission• The Environment Agency • The Financial Services Authority • The Food Standards Agency • The Gambling Commission • The Office of Fair Trading• The Gangmasters Licensing Authority • The Commission for Healthcare Audit and Inspection• The Office of Communications • The Health and Safety Executive • A Special Health Authority established under s 28 of the National Health Service Act 2006 or s 22 of the National Health Service (Wales) Act 2006• Her Majesty’s Chief Inspector of Education, Children’s Services and Skills• The Information Commissioner• The Royal Pharmaceutical Society of Great Britain • The Department of Health, Social Services and Public Safety (Northern Ireland)• The Department of Agriculture and Rural Development (Northern Ireland)• The Department of Enterprise, Trade and Investment (Northern Ireland)• The Department of the Environment (Northern Ireland)• Any district council (within the meaning of s 44 of the Interpretation Act (Northern Ireland) 1954)• The Department of Regional Development (Northern Ireland)• The Department of Social Development (Northern Ireland)• The Department of Culture, Arts and Leisure (Northern Ireland)• The Foyle, Carlingford and Irish Lights Commission (Northern Ireland)• The Fisheries Conservancy Board for Northern Ireland (Northern Ireland)• A Health and Social Services trust established under art 10 of the Health and Personal Social Services (Northern Ireland) Order 1991 (SI 1991/194 (NI 1))• A Health and Social Services Board established under art 16 of the Health and Personal Social Services (Northern Ireland) Order 1972 (SI 1972/1265 (NI 14))• The Health and Safety Executive for Northern Ireland• The Northern Ireland Central Services Agency for the Health and Social Services• The Fire Authority for Northern Ireland• The Northern Ireland Housing Executive

Monday, 15 February 2010

Striving for inspiration on how to reconcile a set of potentially conflicting interests a few days ago, I reflected on previous occasions when different sets of people had wanted me to offer advice that favoured their position over that of their opposite number. The question would generally start with either of the following two phrases – which would mean that I was about to be asked to offer a view that one side would use to help trump the views of the other. The phrases were “From a legal perspective ...” and “From a data protection perspective ...” Then the meat of the query would follow.

I find that I can generally use the flexibility of the Data Protection Principles (and the Act itself) to my advantage, as I can often find something that supports either side of an issue. Sometimes I’ll first ask: “but what is it that you actually want the business to do?” before responding with conviction.

Conviction is the key. Once I’ve made my mind up on an issue, it can take some time to change it. But that’s because it may well have taken some time to work out in my own head how I should be applying the principles I stand for. And, having clarified matters in my own mind, the rest is pretty simple, really.

Does this mean I’m stubborn and unmoving? Not really. I’m ready to appreciate that others have different views, and that their views need to be accommodated in an atmosphere of mutual tolerance and respect. But occasionally, when I’m asked to lead on an issue, I know that the views I form won’t naturally be accepted by everyone, and then I need to choose my battles carefully.

Am I invincible? Not at all. I make as many mistakes as anyone else. I just hope that my humility in accepting the error of my ways does not lead people to think that I’ll easily compromise my principles.

I thought about this yesterday as the credits came up on an excellent film that has just been released, showing how Nelson Mandela helped to forge a single nation from bitterly divided South African communities some 20 years ago, by encouraging people of all communities to develop a common passion. This film focussed on sport – showing how the whole nation learnt to support the Springbok rugby team in its bid to win the 1995 Rugby World Cup, which was coincidentally held in South Africa. This film was “Invictus”, the Latin word for unconquered.

The central theme of the film was the strength of self-belief that ran through both Nelson Mandela and the Springbok captain Francois Pienaar. For me, the most striking image was not of the rugby, but of Nelson Mandela’s tiny prison cell on Robben Island. He needed an iron self belief to survive, and what astounds me was the way he was able, once a free man, to forgive the injustices of the past, not seek retribution and revenge but reconciliation, to build a great nation that is still the pride of Africa.

Mandela’s mantra, if it can be called that, is a poem he used to recite in captivity. Written by William Earnest Henley in 1875 and first published in 1888, Invictus sets out a way of overcoming obstacles. It focuses on the inspiration one needs to conjure up when facing difficult decisions. I can understand why Prime Minister Gordon Brown has admitted to liking it. Not everyone admires it though – writing recently in The Telegraph, (11 January 2010) Christopher Howse mocked it as “a superhuman fantasy”, and pointed out that “Fantasy supermen all too often turn out to be subhuman.” Well, if it's good enough for Nelson Mandela, it’s good enough for me.

And as I continue to be asked to flex the Data Protection Principles (and the Act), I’ll also have this muse in mind when the really hard choices need to be made.

Out of the night that covers me,Black as the pit from pole to pole,I thank whatever gods may beFor my unconquerable soul.

In the fell clutch of circumstanceI have not winced nor cried aloud.Under the bludgeonings of chanceMy head is bloody, but unbowed.

Beyond this place of wrath and tearsLooms but the Horror of the shade,And yet the menace of the yearsFinds and shall find me unafraid.

It matters not how strait the gate,How charged with punishments the scroll,I am the master of my fate:I am the captain of my soul.

Sunday, 14 February 2010

A new technology has emerged since the creation of the Data Protection Directive in 1995, and the eurocrats have developed a special legal instrument which is designed to take account of the particular challenges of this technology.

The technology concerns RFID tags – devices which either produce a radio signal themselves, or reflect and modulate a carrier signal received from a reader or writer. One is embedded in the plastic card I use to pay for my lunch (and coffee and crisps and chocolate) at work. Lots of people in and around London carry one, as they are also embedded in oyster travel cards. They can be as small as a grain of sand.

The cost of these RFID tags is continually falling, so soon it may be possible for retailers to replace all the current barcode labels on merchandise with a tag instead. Wouldn’t it be so much more convenient to arrive at the checkout till with your goodies already packed away in your bag, and for someone just to run a scanner over our stuff (or perhaps we could walk through an RFID sniffing arch) to instantly assess what we had taken and know how much we needed to pay? Marvellous. Can’t wait.

Last May, the European Commission quietly issued a Recommendation on the implementation of data protection and privacy principles for RFID tags. Those that need to will be able to find it when they search under the snappy reference “Brussels, 12.5.2009 C(2009) 3200 final”. A Recommendation is not as binding as a Directive. Member states can effectively ignore Recommendations and get away with it. They can’t be subject to infringement proceedings, which is what occurs when they fail to implement Directives properly.

Crucially, within three years from the publication of the Recommendation in the Official Journal of the European Union, the Commission is to provide a report on its implementation, effectiveness and impact on operators and consumers, in particular as regards the measures recommended in points 9 to 14. Again, I can’t wait.

Points 9 to 14 concern cases when an RFID tag is used by the retail trade. A common RFID sign is to be developed, to warn consumers of the presence of a tag. Privacy impact assessments are to be carried out to determine whether the presence of a tag will threaten an individual’s privacy or their personal data. And if they do threaten an individual’s privacy or personal data, the tags are to be deactivated at point of sale by the operators, immediately and free of charge, unless consumers have given their consent to keeping the tags operational.

I must admit that at first glance I am struggling to understand what safeguards this Recommendation provides to consumers that add to those already contained in the 1995 Data Protection Directive. The only really new safeguard appears to be set out in point 5, which is an obligation on the part of the operator to carry out a privacy impact assessment of the RFID application, and make it available to the competent authority six weeks before it is deployed. But most sensible operators already carry out privacy impact assessments when new applications are planned to be introduced, anyway.

I like the phrase make it available to the competent authority. It does not appear to require the assessment to be formally notified to the competent authority, merely, perhaps, that a copy should be published on an operator’s website. If the competent authority is not aware of its existence, then that’s not necessarily an issue for the operator. The onus appears to be on the competent authority to crawl through websites to see if any changes have been made recently. That’s what I find I need to do occasionally, to see if any of the guidance documents currently available on the ICO's website have been quietly changed. I've just noticed, for example, the slightly revised guidance on notifying security breaches to the Commissioner's Office, which was posted earlier this week (version 2 of the guidance is dated 9 February 2010). Have many other people noticed this change? The ICO publishes lots of information, and lots of it is very helpful. It's sometimes just hard to keep abreast of all the changes, though. Quid pro quo.

My mind began to spin though as I wondered who the competent authority would be if, following the privacy impact assessment, no personal data was actually at risk. If an operator is just adding RFID tags to cans of custard to track them through the supply chain, from the manufacturer right up to the door of the corner shop, to whom should the assessment be made available? It doesn’t concern the Information Commissioner. Should there be, say, a Commissioner for Custard? Doesn’t make sense.

So, the Recommendation can make sense only if it is to apply to information which eventually becomes “personal data” – but surely those issues are already addressed in sufficient detail by the Data Protection Directive (and by the national implementing laws).

I don’t see any reason why life needs to become ever more complicated by the creation of sectoral Directives and Recommendations. Life is full and complicated enough as it is. Let’s just have the 1995 Directive and try to make the most of it, at least until a new one replaces it.

Do we need to wait until May 2012 before telling the Commission that the Recommendation hasn’t really had, and probably won’t have, much effect (as the existing legal safeguards for securing personal data are perfectly adequate), or should we send the response on a postcard now?

Saturday, 13 February 2010

Those with eagle eyes will have noticed the ICO’s recent victory over the Labour Party. It shows his independence and gives the lie to the charge that they’re all a bunch of lefties up in Wilmslow. No, they’re independent of political persuasion, and are happy to issue enforcement notices to political parties of any colour. This may be one reason why they’re always starved of resources.

It appears that in July 2007 the ICO received a complaint from a member of the public that he had received an automated marketing telephone call from the Labour Party despite never consenting to receive such calls. The call allegedly consisted of a recorded message from the former Coronation Street actress Liz Dawn. After reviewing the transcript, the ICO advised the Labour party that it would constitute direct marketing; Labour subsequently agreed to stop making these or any similar calls.

However, in June 2009 the ICO received further complaints. The Scottish National Party and a member of the public reported that unsolicited automated calls, consisting of another recorded message from Liz Dawn, had been made encouraging recipients to vote in the local and European elections. The Labour Party confirmed that the calls were made to approximately 495,000 recipients, in what were believed to be Labour supporting areas, and that the majority of numbers were obtained using commercially purchased lists.

In a press release dated 9 February 2010 David Smith, Deputy Information Commissioner, said: “The ICO has consistently made clear that the promotion of a political party counts as marketing. We have previously issued detailed guidance to all major political parties on this subject. The Labour Party has breached privacy rules by making automated marketing calls to individuals who have not consented to receiving such calls. The fact that the calls were targeted at what were believed to be Labour supporting areas confirmed our view that they were designed to promote the Labour Party’s electoral cause by encouraging Labour supporters to vote. Automated calls can cause annoyance and disruption which is why it is so important for organisations making such calls to gain the consent of individuals.”

This sort of action is not new – either by the Commissioner or the political parties.

In 2005 the ICO issued updated guidance to political parties about their legal obligations, but still found it necessary to serve enforcement notices against the Conservative Party and the Scottish National Party that year, and three years later against the Liberal Democrats. In all cases, the parties had made unsolicited automated marketing phone calls to members of the public who had not given their consent to receive them. Failure to comply with an enforcement notice is a criminal offence and could lead to prosecution.

I suppose the wider problem comes in determining what is a marketing message which people are entitled to object to, and what is another form of communication, say a service communication, which they can’t object to receiving. Automated voice calls can be a nuisance, if you have to listen to them, but I wonder whether the same standards would be applied to emails and other communications sent electronically. I suspect that what Mrs Merton may term “a heated debate” will continue for some time over whether a particular communication falls into either category. The test, I suppose, will depend on whether the person sending the communications already has any sort of existing relationship with the recipient. And where there is a relationship with the recipient, then it would be helpful to set out what the recipient can expect to receive from the sender, and what rights exist (if any) to exercise any communications preferences. Would it be different if the communication were sent to a laptop rather than a phone?

The ICO’s position stems from a pretty loose statutory definition of marketing in the Data Protection Act. As it helpfully sets out in its latest enforcement notice, “Direct marketing” is defined in section 11(3) of the Act as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. The Commissioner considers that the term “direct marketing” includes approaches made by political parties making appeals for funds or support, or otherwise for the purpose of promoting the party.

Is this approach followed in other jurisdictions? For inspiration, I had a quick squint at the privacy policy of a well respected catholic organisation in America, to see how they made their practices clear to their followers. Catholic Online LLC is based in Bakersfield, California, and tries to be pretty transparent about what rights it's subscribers have:

• Catholic Online, LLC does not provide any personal information to the advertiser when you interact with or view a targeted ad. However, by interacting with or viewing an ad you are consenting to the possibility that the advertiser will make the assumption that you meet the targeting criteria used to display the ad. • Catholic Online, LLC advertisers include financial service providers (such as banks, insurance agents, stock brokers and mortgage lenders) and non-financial companies (such as stores, airlines, and software companies).

You can edit your Catholic Online, LLC Account Information, including your marketing preferences, at any time.

New categories of marketing communications might be added to the Marketing Preferences page from time to time. Users who visit this page can opt out of receiving future marketing communications from these new categories or they can unsubscribe by following instructions contained in the messages they receive.

We reserve the right to send you certain communications relating to the Catholic Online, LLC service, such as service announcements, administrative messages and the Catholic Online, LLC Newsletters that are considered part of your Catholic Online, LLC account, without offering you the opportunity to opt out of receiving them.

I think this is a great example of an organisation that is trying to set the expectations of its subscribers. It makes it clear that subscribers don’t have rights to object to receiving service announcements and administrative messages while they remain subscribed to the service.

I’ll look for evidence of other organisations copying this initiative.

Friday, 12 February 2010

Last December, the Council of the European Union published proposals to deal with the delicate balance between an individual’s privacy and their expectation of freedom, security and justice. It’s all about bringing what were separate pillars of the European Union, each of which had their own legal cultures, closer together to share a single culture. In the terms that I want to discuss in this blog, it’s about ensuring that the principles of the Data Protection Directive we have all grown so familiar with can be extended to include issues that lurk in the corners of national security and law enforcement. And if the principles can’t be extended, then by implication, new principles will take their place.

The proposals are set out in what has become known as the Stockholm Programme, which is an 82 page document that isn’t particularly easy to read. No jokes, no pictures. Just page upon page of pretty unremitting text. (The picture on the left was taken by me - it's of Stockholm's City Hall, where the Nobel Peace Prize is awarded to a deserving recipient each year.)

For those who want to find a copy of the document on the internet, it's filed under the snappy references of CO EUR-PREP 3, JAI 896 and POLGEN 229.

The document doesn’t propose many answers – but it does recognise that a balance has to be struck between different needs. The EU must “respond to the challenge posed by the increasing exchange of personal data and the need to ensure the protection of privacy” (paragraph 2.5). This means change. What sort of change? Not sure.

The European Commission has been invited to “evaluate the functioning of the various instruments on data protection and present, where necessary, further legislative and non-legislative initiatives.” Also, it is to “consider core elements for data protection agreements with third states for law enforcement purposes, which may include, where necessary, privately held data, based on a high level of data protection.” So, presumably this paves the way for new rules regulating the way information held by a private company in one member state is to be made available to a law enforcement agency in another member state. What will happen when a private company in one member state is asked to pass information to investigators in a member state that appears to have lower standards of respect for fundamental rights then the first member state? Not sure. Is it assumed that all EU member states currently enjoy equally high standards of respect for fundamental rights (or at least they all enjoy an adequate standard) so this won’t be a problem? We’ll see.

On terrorism, the EU “must ensure that all tools are deployed in the fight against terrorism while fully respecting fundamental rights” (paragraph 4.5). But is it always appropriate to fully respect the fundamental rights of someone who has no regard for any of our rights, and is absolutely determined to commit harm on the widest scale possible? After all, the programme also requires that “measures in the fight against terrorism must be undertaken within the framework of full respect for fundamental rights so that they do not give rise to challenge.”

Or do we expect other countries to do any dirty work for us by using their own rendition programmes to obtain and provide us with information using techniques that would not be acceptable within the EU? Surely not.

The European Council also considers that “the instruments for combating the financing of terrorism must be adapted to the new potential vulnerabilities of the financial system, as well as cash smuggling and abuse of money services, and to new payment methods used by terrorists” (paragraph 4.5). Presumably this means greater surveillance on all financial types of transfers, large and not so large – and a greater reliance on automatic detection systems that flag subtle changes in an individual’s profile that may indicate terrorist activity. I wonder how many false positive reports these transfers might generate – and how many extra investigators would be required to examine these reports. From what I’ve read about terrorists, they have an alarming tendency to adapt and change their tactics. If that is the case, then who will set the flags to indicate when someone changes their pattern of behaviour to one which is more akin to the type of terrorist activity that has (probably) not yet been detected?

I’m so glad I’m not a law enforcement investigator – or a politician charged with the responsibility of dealing with a failure in the system. The odds do appear to be stacked against me.

But I welcome the chance to contribute to the debate, and will do in future blogs. I’m just sad that, given it's huge significance, the document appears to have been slipped out into the public domain without any fanfare whatsoever. Were we not expected to participate in the debate? Did I miss something? Or did the eurocrats just forget to ask us?

Thursday, 11 February 2010

I saw this photograph in yesterday’s London Evening Standard, showing just ten (or eleven) MPs hard at work in the chamber of the House of Commons at 3pm yesterday afternoon. The image captured a minister and his aide, while there were seven Tories, one Liberal Democrat, and possibly another MP chatting to Mr Speaker during the debate on European legislation.

I appreciate that a lot of MPs are “demob happy”, in that they’ll soon be leaving Parliament at the next General Election, but even so I think they ought to make some sort of effort before their absence from parliamentary duties is noticed by the electorate. Surely they ought to try and salvage something from the last few weeks of this session?

They could, for example, try and get a bit more data protection legislation passed.

Some of us remember that back in October, the Ministry of Justice published a consultation paper on the introduction of custodial sentences of a maximum of 2 years for serious Data Protection Act offences. These offences concerned the obtaining, disclosing or procuring the disclosure to another of personal data. The consultation opened on 15 October 2009 and closed on 7 January 2010. The proposals, as set out at the foot of page 13 of the consultation paper, were quite specific as to the timing of their introduction too:

"The ICO is set to receive enhanced powers in early 2010 as a result of provisions contained elsewhere in the Criminal Justice & Immigration Act 2008 and, subject to Parliamentary approval, the Coroners and Justice Bill. Subject to the responses to this consultation, we therefore propose to commence these higher penalties in April 2010 in order to maximise awareness among the public and interested parties of these changes.”

Well, January 2010 has come and gone. And we are well into February. April is not that far away. And have we seen any positive action recently from the chaps in Petty France? And why not? Have their best intentions been thwarted by the parliamentary business managers who are trying to work out what legislation needs to be forced through Parliament before this Government gives up? Surely, when the consultation paper was originally published, even the Government was aware that a General Election was looming sometime in 2010. It’s hard to understand how a popular and deserving initiative like this could have run out of parliamentary time. Unless no-one bothered to think ahead into 2010 back in October 2009.

Was this consultation paper merely an example of political posturing, from a ministry that had no intention of implementing the proposals? Or has their parliamentary time been taken up by others who believe that there are more pressing matters to consider? From the number of politicians who attended the House of Commons yesterday afternoon, evidently a lot have got matters to attend to that are much more pressing than the business that concerns Parliament.

Perhaps a significant number of them have actually forgotten where they left their House of Commons entry pass. After all, they had a 12-week break from Parliament last summer, and are now on an official 11-day half-term break, which comes only a month after they returned from their constituencies. Did they leave it at home on the dining room table? And, if so, in which of their homes?

But all is not quite lost. Hopefully, my faith in human nature, and in the good intentions of Secretary of State Michael Wills and his boss Jack Straw, will be redeemed. One can live in earnest expectation that they will actually deliver what they had planned. We can't be out of time just yet. I don't think I would bet any money on it, though.

Otherwise, let’s see if these proposals turn into manifesto commitments for each of the political parties at the forthcoming general election. Then, their supporters can, eventually, congratulate the new Government on actually fulfilling a promise.

A legislative logjam or another miscalculation by the Parliamentary business managers?

Sunday, 7 February 2010

I first heard Kenneth Williams tell this story, which is about an author at a book signing.

The author is approached by an old woman clutching a copy of his book.

“And who should I make it out to?” he asks.

“Emma Chissett,” she replies.

He proceeds to write 'To Emma..' but is swiftly interrupted by the agitated women.

“No,” she says, “That's not my name. I said how much is it?”

Priceless. It’s a reminder to me that I should never take things just as I hear them. Someone else may be giving out an entirely different message.

So what should I take of the recent news that, according to the policeoracle.com website, the Metropolitan Police is, in these economically challenging times, considering ever more cunning ways of making up to £500 million in savings over the next few years, while maintaining key services? It will apparently involve a recruitment freeze (I’m glad I’m not one of the 2,000 candidates waiting for a start date) despite crime fighting remaining a political top priority. But I don’t know whether it will involve the Home Office stepping in to fund services that were previously funded by the Met.

And I imagine that all of the other law enforcement agencies in the UK are facing similar challenges.

Why should I be interested in this subject? Well, as law enforcement budgets are squeezed, I’m wondering how confident communication service providers will remain as they develop their plans to ensure that the communications records that the Home Office may consider are essential for the purposes of crime prevention can actually be retained and, when necessary (and proportionate), be sent to the investigating authorities.

The mighty Regulation of Investigatory Powers Act (RIPA) has a few things to say about cost recovery. Section 24 (Arrangements for payments) provides that “It shall be the duty of the Secretary of State to ensure that such arrangements are in force as he thinks appropriate for requiring or authorising, in such cases as he thinks fit, the making to postal and telecommunications operators of appropriate contributions towards the costs incurred by them ... [and] ... for the purpose of complying with his duty under this section, the Secretary of State may make arrangements for payments to be made out of money provided by Parliament.”

So, the mighty RIPA could be read as enabling the Home Office to make payments directly to service providers to reimburse them for the costs that have been incurred in retaining and disclosing records. Or, it could be interpreted as enabling individual law enforcement agencies to feel obliged reimburse the service providers themselves whenever they asked for some communications records.

If I were the communications data cost centre manager within a law enforcement agency tasked with reducing my overall budget, I’m sure that I would do whatever I could to transfer various costs to someone else – such as the Home Office. Equally, if I were a Home Office cost centre manager tasked with reducing my budget, I might try as hard as I could to get the relevant law enforcement agency meet the costs for communications records, as it was those investigators who required the records in the first place. It seems to me that the time is fast coming for what Caroline Aherne's Mrs Merton would cheerfully term "a heated debate" to be had between all these cost centre managers.

It would be a nightmare scenario if it were to be the case that the Home Office were to decide centrally what records were to be retained, but expect the local law enforcement agencies to pick up the bill themselves. And then to belatedly realise that the local agencies didn't actually have the money. If the local agencies can’t afford the retention costs, then they shouldn’t expect the Home Office to require the providers to keep the records in the first place. He who pays the piper ought to be calling the tune.

And what would I do if I were a communications service provider, stuck in the middle, as it were? I might be tempted to ask the Home Secretary for reassurance that if he wants new ways of retaining and providing communications data to be developed, he’ll underwrite the costs. Or, if he is unable to underwrite all of the costs, perhaps he might be so kind as to explain to the provider what costs he would expect the provider to pay, and what costs ought to be met from the public purse.

Does it matter? Well, in times of economic uncertainty, when service providers are as keen to keep an accurate eye on their finances as are national governments, it would probably help everyone if there existed a level of confidence as to what financial arrangements the Secretary of State may feel to be appropriate in the medium term. I doubt that anyone wants to commit themselves to projects that may require a commitment to spending significant amounts of money over a period of years if there is the possibility that the cost recovery element may be threatened during that period. Not a Government. And probably not a provider.

A little clarity might be useful – but then again I’m sure that the Home Secretary himself would welcome a little clarity as to whether he will be continuing in his current job after the next election.

Saturday, 6 February 2010

Off a few evenings ago to the BFI London IMAX cinema for the commercial launch of a new service which is to be made available to people in the advertising community who want to know whether many people have accessed particular websites from mobile devices.

I like IMAX cinemas and make a point of visiting them whenever I'm in a city that has one. Whenever you get the chance, just get yourself over to Waterloo, book one of the 500 seats and marvel at the spectacle. Watching a film at the BFI's IMAX is completely immersive. The screen is more than 20 metres high (that's nearly the height of five double-decker buses!) and 26 metres wide. With 11,600-watts of digital surround-sound and the most sophisticated motion-picture projection system in the world, you will literally feel like you are 'in the picture'. I was last there for a 3D IMAX screening of Avatar a week or so ago, and can’t wait to get back for the next blockbuster. Once you’ve had that experience once or twice, you do get a craving for more.

Anyway, back to the point. A significant challenge in the development of the new mobile measurement service was that of creating a way of giving media owners the opportunity to allow an independent auditing organisation to audit the popularity of particular websites, but in a way that did not compromise the privacy of the people who visited those websites.

The main British mobile network operators, with the guidance of their trade body the GSM Association, played a critical role in designing this service – and after a great deal of careful thought and close liaison with almost everyone you can think of (including the bods at the European Commission), a cunning plan was hatched which ought to work. The media owners will be able to access reports which show how popular various websites are at different times of the day, while the mobile operators will still not be able to know which of their customers visited these various websites at particular times of the day. The trick has involved a special way of irreversibly anonymising mobile phone numbers so that, once you have the final hashed number, you can’t reverse the process and identify the original user. It’s about as privacy friendly as you can get. Especially once you’ve applied other smart rules requiring raw data logs to be deleted quickly, and other rules making it impossible to create reports about small numbers of visitors to particular websites. The service is really designed to generate reports on the most popular websites – as it’s those that advertisers are likely to wish to buy advertising space on. No-one wants their advertising budgets to be wasted by buying space on websites that their potential customers will hardly ever visit.

No doubt the media planners will find it a useful tool as they work out where to allocate their media spend – should it be on television adverts, the traditional press, or internet sites that will be accessed by people from both laptops and mobile devices? And how long do people spend on particular websites, and at what times of the day are the popular websites most popular? If it’s these questions that are being asked, then the service should be capable of providing the answers.

The first published set of statistics (gathered in December 2009 from the mobile phone companies that were the first to participate in the initiative, rather than all the UK operators) revealed that social networking site Facebook dominated mobile internet traffic. It accounted for nearly half of all the time people in the UK spent going online using their handsets. Around 16 million people in the UK accessed the Internet via mobile that month, viewing nearly 7 billion pages of online content.

But, and this is a big but, if a media auditor wants to know exactly what I did when I went on-line, then he’ll be disappointed. He won’t find out – at least not until I give him permission to convert my phone number into the special hashed value. And even when he has my permission, he’ll then have to contact a number of people who each played a separate role in creating the hashing algorithms. These numbers weren’t anonymised just the once. Oh no. You need to unlock the box a couple of times, so to speak. The security measures were good enough for the bods at the European Commission, so they ought to offer a meaningful level of protection for someone like me.

What I am now keen to understand is just how many people might view their “privacy” as a tradable commodity, and “sell” their privacy to an auditor to allow their on-line behaviour to be tracked. We’ve all read stories about how willing people are to share their account passwords, etc, with apparent strangers for a small sum of money. Let’s examine the extent to which people actually value their on-line privacy, by giving them the opportunity to allow their actual behaviour to be tracked for a few pounds – or even just a few pence.

Friday, 5 February 2010

Ian Walden, Professor in Information & Communications Law, certainly knows how to find a lecture title that guarantees a large audience. For his inaugural lecture, he chose to speak on “porn, pipes and the state” at Queen Mary, University of London, a few nights ago. It wasn’t only students who packed the benches – a number of extremely well known figures in the “porn prevention” world had also popped over to East London for the evening, and I didn’t meet anyone who felt short-changed from the event.

Ian is one of those academic professors who know how to sense what sort of audience is before him, and then tailor his remarks so that they inform, provoke and entertain those who are listening to what he is saying. He’s there to argue his case with a sense of humour, conviction and passion, rather than just show us all how clever he is. And his points led to conclusions I found myself agreeing with.

Ian’s view of the way the internet may need to be regulated is broadly the same as mine. We start by looking at the limits of what the state can actually do. It has a jurisdictional problem in that many of the ills on the internet lie outside the UK’s legal borders, but ways still need to be found to protect UK citizens. Fortunately, private actors, such as internet servoce providers, don’t have the same jurisdictional problems as the state. Google and Yahoo, with their global reach, can achieve results that states can’t. And, other internet service providers can, on a voluntary basis, devise to protect their users from the effects of certain types of internet content by making it very hard for them to access those internet addresses in the first place. Yes this is censorship. But we have always had censorship. Many western states have just decided, for obscure reasons, that while they don’t approve of Chinese style political censorship, it’s ok to allow the more sensible internet service providers to adopt forms of Western style cultural censorship.

A British example of such censorship is the Internet Watch Foundation, which evaluates certain types of content on the internet and, if judged illegal, helps British internet service providers ensure that their users can’t access it.

But Ian made the vitally important point that it was one thing for the state to ask private sector organisations to assist them by preventing crime (such as restricting access to certain internet sites), but a wholly different thing for the state to ask them to participate in criminal investigations – say by monitoring and reporting on what their users were actually doing. There are only several hundred web sites at any one time that are actually banned as they contain illegal material. But, for various reasons, there are millions of users who have apparently tried to access these sites. Investigating just a small proportion of these millions of users could well bring the criminal justice system to its knees. And it could greatly damage the relationship that internet service providers have with their customers. As Ian wryly remarked, “In the internet environment everyone nearly always gets upset.” I don’t think any provider wants to deal with customers who are either upset or capable of getting whipped up into a frenzy because someone has started a campaign against them.

Can we trust what ministers say about such matters? Do their statements actually reflect Government policy? It’s hard to judge, as the ministers change quite frequently and they don’t tend to feel obliged to follow their predecessors. Take a look at what some Secretaries of State for Culture, Media & Sport had to say about the same issue. In 2002 Theresa Jowell said “We don’t intend to regulate the internet.” Yet, just 6 years later, when he was doing the same job, Andy Burnham said “There is content that should not be available to be viewed. That is my view. Absolutely categorical.”

But does it matter that they disagree?

In my view, it probably doesn’t matter too much what ministers say, as the state lacks many of the tools it would like to have to ensure that it’s will can be enforced in any event. Does this mean that anarchy will thrive? No it certainly does not, as internet service providers are always capable of acting responsibly. As Ian put it, “Self regulation is a method of governance, rather than an absence of law.” And, in my view, self regulation should not be seen as an inferior method of governance to that of statutory regulation.

Sometimes, you don’t need the law to force people to do things. Most responsible people behave honourably on most occasions. So, even when the state finds itself impotent as it tries to regulate internet content, there will usually be someone else around who is more than capable of doing the job.

Tuesday, 2 February 2010

(With apologies to Mel Brooks, who produces puns that are so much better than mine...)

I expect that lots of people would want to join the European pirate movement, but I don’t think that I am one of them just yet. Should they be written off as “an ineffective and short term movement of anarchistic freeloaders”, or is it “an ideological presence that’s here to stay in democratic countries around the world?”

Please, before I get bombarded with complaints about these phrases, let me explain that they were the very words that were used in a recent article by Philip Hunt, the Campaigns Officer for the Pirate Party UK (in the September 2009 edition of the e-commerce law & policy journal). And, for the record, he disagreed with the first description, and supported the second.

I hope they don't mind, but I'm displaying one of their posters from their website on this blog. I don't intend to commit an offence and misuse any of their intellectual property.

What are their main concerns? Well, their website sets them out pretty clearly:

"In recent years we have seen an unprecedented onslaught on the rights of the individual. We are treated like criminals when we share entertainment digitally, even though this is just the modern equivalent of lending a book or a DVD to a friend. We look on helpless as our culture and heritage, so important for binding our society together, is eroded and privatised.

Now there is a democratic alternative. We, the people, can take back our rights. We, the people, can overturn the fat cats and the corrupt MPs who hold our nation's cultural treasures to ransom, ignore our democratic wishes and undermine our civil liberties.

The internet has turned our world into a global village. Ideas can be shared at incredible speed, and at negligible cost. The benefits are plain to see, but as a result, many vested interests are threatened. The old guard works hard to preserve their power and their privilege, so we must work hard for our freedom. The Pirate Party offers an alternative to the last century's struggles between political left and political right. We are open to anyone and everyone who wants to live in a fair and open society.

Following on from the wildfire success of our sister parties in other countries, the Pirate Party UK offers a new way to tackle society's problems, by releasing the potential of ideas, at the expense of corporate monopolies and the interests of a controlling state."

To address these concerns, the Pirate Party UK has three core policies:

• Reform copyright and patent law. We want to legalise non-commercial file sharing and reduce the excessive length of copyright protection, while ensuring that when creative works are sold, it's the artists who benefit, not monopoly rights holders. We want a patent system that doesn't stifle innovation or make life saving drugs so expensive that patients die.

• End the excessive surveillance, profiling, tracking and monitoring of innocent people by Government and big businesses.

• Ensure that everyone has real freedom of speech and real freedom to enjoy and participate in our shared culture.

What do I think about these policies?

I can understand their wish to reform copyright and patent law, as the current law does not seem to work too well in an internet environment. But copyright holders must have some rights too. I find it hard to work out for myself how the balance can be drawn between these competing rights when, thanks to the digital age, it is so easy to create perfect “copies” of property that someone else might rightly claim to own - and make their living from.

I can understand their fear of surveillance, especially if it is used to detect someone who has created a perfect “copy” of something that someone else actually owns. But I don't think that miscreants automatically have a right to hide their tracks by relying on a cloak of anonymity.

And I can understand their wish to embrace free speech – but again so long as it does not impinge on the legitimate rights of others. I sometimes have views that I keep to myself – because I don’t feel it necessary to provoke someone even though all I would wish to express was my own opinion. Others have rights not to be offended too. We still live, in Britain, in a polite society. My bit of Britain, Crouch End, is populated by people who try to behave more like Caroline Aherne's "Mrs Merton" than Catherine Tate's "Nan".

So, I will be looking out for the candidates from the Pirate Party UK as they begin to participate in mainstream British politics. I hope that their views will provoke some very interesting debates. And, as elections to the devolved assemblies in Scotland, Northern Ireland and Wales are run under a system of proportional representation, they might even win a seat or two in 2011.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.